Re: RFS: sipvicious/0.2.7-1 [ITP] Tools to audit SIP based VoIP systems

To: debian-mentors@lists.debian.org, 479308@bugs.debian.org
Cc: support@mentors.debian.net
Subject: Re: RFS: sipvicious/0.2.7-1 [ITP] Tools to audit SIP based VoIP systems
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 29 Nov 2012 10:05:03 +0100
Message-id: <[🔎] 20121129090503.GA24788@alf.mars>
Mail-followup-to: debian-mentors@lists.debian.org, 479308@bugs.debian.org, support@mentors.debian.net
In-reply-to: <[🔎] CAAgy_Vka4NxpT_DjmDCZTEWi8Brd7GF++KHaawgCK7TMhVj28g@mail.gmail.com>
References: <[🔎] CAAgy_Vka4NxpT_DjmDCZTEWi8Brd7GF++KHaawgCK7TMhVj28g@mail.gmail.com>

For support@m.d.n: I believe the below package to be undistributable due
to lacking and wrong license declarations.

On Fri, Nov 02, 2012 at 12:56:21PM +0100, Victor Seva wrote:
>     sipvicious - set of tools that can be used to audit SIP based VoIP
> systems.

Can you briefly explain the relation of the tool to similar utilities
such as sipsak or sip-tester?

>     dget -x http://mentors.debian.net/debian/pool/main/s/sipvicious
> /sipvicious_0.2.7-1.dsc

I had a look at your package.

debian/changelog lists "UNRELEASED" as distribution. This has to be
changed before uploading.

The Build-Depends seem strange to me. Can you explain why you depend on
"python | python-all |python-dev | python-all-dev"? In any case listing
python-dev there seems like a Python Policy violation. Appendix A says:

| Packages that do not require the -dev packages must not build-depend
| on them. 

debian/copyright uses two different names to reference the same GPL
version. Usage of "GPL-2.0+" seems uncommon as well. Maybe you can make
this more consistent?

Looking deeper you can see that GPL-2 is actually wrong. The works are
even incompatible with GPL-2 as can be seen in the header of svcrack.py
for example.

debian/copyright also does not mention the addition of works authored by
Andi Albrecht. Indeed I totally failed to find a license for those works
so far. That would make your package undistributeable.

Going further your manual pages seem to based on the help messages of
the tools. To me it seems like the pages need to be considered
derivative works. That means they lack copyright statements for
upstream.

debian/rules still contains comments from dh-make. Can you clean those?

Maybe I missed something, but why do you Build-Depend on python-support
and then use dh --with python2 instead? That dependency seems useless.
And why do you use any of those tools when you don't ship any Python
modules?

Upstream ships Berkely DB files. I was wondering if they are in
"preferred form for modification" according to said GPL-2^H3.

Furthermore those Berkley DB files are accessed from svfphelper.py using
relative paths. So after installing those tools, the databases will not
be found unless you first cd to /usr/share/sipvicious.

You list a homepage in debian/changelog, but it is notably absent in
debian/control. Maybe you can add that?

To me it seems like more work is needed before prime time.

Helmut

Reply to:

References:
- RFS: sipvicious/0.2.7-1 [ITP] Tools to audit SIP based VoIP systems
  - From: Victor Seva <linuxmaniac@torreviejawireless.org>

Prev by Date: Processed: your mail
Next by Date: Processed: retitle to RFS: wmtime/1.0b2-16 [ITA]
Previous by thread: RFS: sipvicious/0.2.7-1 [ITP] Tools to audit SIP based VoIP systems
Next by thread: Bug#692125: RFS: raphael/2.1.0-1
Index(es):
- Date
- Thread